Session Cookie seems to be disappearing...

KaiVar

Guppy
Hi,

I seem to be experiencing problems with session cookies. I think that it relates to 3rd party cookies and tighter privacy settings in IE.

I have my domains registered with another provider, and forwarded to my website hosted on JodoHost. This in itself doesn't seem to pose a problem. The problem occurs when I subsequently redirect the user to a login screen using HTTPS, and the shared digital certificate to my JodoHost 3rd level domain (mywebsite.my hsphere.biz). It is at this point that the session cookie seems to disappear. If I reduce my IE privacy level to low, it all works fine.

Has anyone had a similar experiences? I was thinking of buying a digital certificate of my own to avoid using this 3rd level domain and shared certificate, has anyone done that? Do you think that this will resolve my problem?

Sorry to be a bit long winded, but if you can help in anyway, I'd be grateful.

Cheers,


Kaine
 
I would say your summary is pretty accurate. You'll lose the session cookie because in essence you are switching to another domain (hsphere.biz).

Would you be able to track with server-side sessions instead of client side cookies? You won't have the same issue with browser security blocking the cookie.
 
KCWebMonkey,

Thanks for your response. Not sure I fully understand your question, but it seems to be dropping the session as well, I suspect that the ASP session ID cookie is not being preserved either.

Unfortunately, as you've probably gathered, I'm using old school ASP rather than ASP.NET.

Do you think that purchasing my own certificate to use on my domain will help?

Thanks,


Kaine
 
if ASP sessions or session cookies can't live across domains, then yes it would solve your issue if you had your own certificate because you would stay in the same domain. but, there's got to be another solution for this, as i seriously doubt if this hasn't come up before.
 
KCWebMonkey,

I suspect that MS are continuing to tighten security and privacy in IE, which is why this is only coming to light now, but I have no way of telling for sure. Do you think that there is a possibility it could be a server setting, some kind of security setting or privacy setting? I guess we're on 2003 server by now, and maybe the switch over has had some affect?

We've had isolated issues in the past, but this is the first time that it is having a knock-on affect to me.

Thanks for your input, and if there is anything else you can add I'd be very grateful.


Kaine
 
8o

Spookily, it all seems to have begun working again...all by itself...

Have there been interventions by JodoHost???


Kaine
 
Whoops...Spoke too soon, it seems that I still had my IE privacy settings set to low. So I guess it's back to square one...?(
 
As far as I was aware, the cookie should be dissappearing - regardless of ie settings. When you go back to a page on your own domain, the original cookie would be sent again, reconnecting you to your original session.

As I think some more about it though, I suppose the behaviour of sending cookies from the browser to another domain is the basis of XSS security holes, so it could follow that ie would send cookies across domains in low security mode.

I suspect that you can't rely on propagating a session between your https pages and your http pages when using a shared SSL certificate. Thats my take on it anyway :)

inoodle
 
Back
Top